Finding Users On Your Network, Using PC’s, and Running a Certain Application

Recently I was asked to determine which users were using a certain application in our Citrix Farm. We are using a published desktop and while EdgeSight has reports to show published applications, few built-in reports to show what users are running in their session. In addition, I was only looking for users who were on our internal network and not using a thin client. Unless your network team has created a very segregated network, and you have set up user groups based on various subnets and devices, this sort of information is impossible to pull out of EdgeSight. In this post I will show you a query that gathers this information.

If you have the several requests with different criteria you can declare some variables to help you. In this case, I’ve created a variable called @app that I can set to any executable that I’m reporting on. To refer to this variable in the query, I use it in the WHERE clause using a LIKE operator and a regular expression.

WHERE apptbl.exe_name like '%'+@app+'%'

The rest of the WHERE clause helps us find the users we are looking for.

and apptbl.account_name <> 'UNKNOWN'
and serv.client_address not like '192%'
and icatbl.client_directory not like '\%'
and convert(varchar(10),dateadd(hh,-4,apptbl.time_stamp), 111) >= @today-30
and apptbl.sessid = serv.sessid and icatbl.sessid = serv.sessid
and CONVERT(VARCHAR(10),DATEADD(hh,-4,apptbl.time_stamp), 111) = CONVERT(VARCHAR(10),DATEADD(hh,-4,serv.time_stamp), 111)

I have filtered out user IP addresses that start with “192” as this is typical of home-based routers. Obviously, you can modify this to reflect your own network. To filter out thin-clients, I’m not selecting any client directories that start with “\”. I’ve found that thin clients (in my case Wyse) have file systems that begin with a “\” and you can refer to my post that covered finding non-PC devices in EdgeSight here. Finally, I’m only looking at entries for the past 30 days, where the sessid’s match, and where the time_stamps match.